Enhanced graphical user interface for representing events

ABSTRACT

Systems and methods are provided for an enhanced graphical user interface (GUI) for presenting events. In particular, a graphical user interface includes, a visualization of unique values. Such a visualization includes a first set of rows for each unique value, wherein each row is divided into regions each representing a timeslot within the time range. Each region in a particular row of the first set of rows graphically illustrates a count of events from the plurality of events that both have an associated timestamp that is within a respective timeslot represented by the region and include a particular unique value associated with the particular row. The graphical user interface also includes a table including a second set of rows that each correspond to the first set of rows. Each row includes a set of statistics determined from events that each include the particular unique value associated with the row.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a Continuation of U.S. patent application Ser. No.15/224,651, filed Jul. 31, 2016, which is itself a Continuation of U.S.patent application Ser. No. 14/165,232, filed Jan. 27, 2014 and issuedas U.S. Pat. No. 9,437,022, the entire contents of both applications areincorporated by reference herein.

TECHNICAL FIELD

The present disclosure relates generally to techniques for processingand visualizing data field values over a period of time.

BACKGROUND

Enterprise organizations and the data analysts they employ face thechallenge of finding useful information in the increasing amounts ofdata generated and collected by these organizations over time. Such “bigdata” may provide, for example, valuable insights into theorganization's operational performance and business patterns associatedwith various parts of the organization. For example, accessing computernetworks of a business enterprise and transmitting electroniccommunications across these networks generates massive amounts of data.Such data generated by machines may include, for example, Web logs ofactivity occurring at various web servers distributed across anenterprise's network.

Analysis of this data can indicate patterns in consumer behavior withrespect to the particular products or brands in which consumers may beinterested during a given period of time. Such pattern analysis also maybe helpful in differentiating normal operational performance fromanomalies. For example, the detection of unusual patterns can allow asystem analyst to investigate the circumstances under which theseunusual patterns emerged and determine whether any issues exist that maypose a threat to the system's operational performance or security.Moreover, analysis of such data allows business enterprises tounderstand how their employees, potential consumers, and/or Web visitorsuse the company's online resources. Such analysis can therefore providebusinesses with operational intelligence, business intelligence, and anability to better manage their information technology (IT) resources.For instance, such analysis may enable a business to better retaincustomers, meet customer needs, and improve the efficiency and securityof the company's IT resources.

However, data analysts or systems administrators of an enterprise mayencounter significant challenges when attempting to identify, collect,and analyze such large quantities of data, which may be distributedacross multiple data sources within the enterprise's network environmentor IT infrastructure. Such challenges may prevent these enterprise usersfrom realizing the potential value that this data may provide. Inparticular, patterns in the enterprise's data as a whole, which mayprovide valuable insight into the operations of the enterprise, may bedifficult to find due in part to the size of this data and the fact thatthe underlying data produced by each data source within the enterpriseis usually analyzed in isolation, if at all.

SUMMARY OF A FEW EMBODIMENTS

Embodiments of the present disclosure relate to, among other things,visualizing values over time in a field defined for a set of events,which may be derived from machine data, log data, and/or other data.Each of the embodiments disclosed herein may include one or more of thefeatures described in connection with any of the other disclosedembodiments.

In one embodiment, a method is disclosed for visualizing, over time,values of a field in events that may be derived wholly or partially frommachine data. An input may be received from a user via a graphical userinterface. The input specifies a field and a time range. A set of eventsmay be identified based on the input received from the user. Each eventin the identified set may occur during the time range and may include avalue for the specified field. A set of unique values for the field maybe determined from the identified set of events. For each unique valuein the set of unique values, a subset of events including that uniquevalue for the field may be identified. Each event in the identifiedsubset may include a time-stamp coinciding with one of a plurality oftime slots within the time range. A visualization of counts of eventsfrom each of the subset of events identified for each unique value ofthe field within the time range may be provided. The visualization maydisplay a set of rows intersecting with a set of columns, where each rowcorresponds to one unique value in the set of unique values, each columncorresponds to one of the plurality of time slots, and each intersectionof a row and a column provides an indication of a number of eventsincluding the unique value corresponding to the row and having atime-stamp coinciding with the time slot corresponding to the column.

Various embodiments of the method may include one or more of thefollowing features: the events may be derived at least in part frommachine data; the events are derived at least in part from log filesgenerated by one or more servers; the indication of the number of eventsmay be an absolute or relative indication of the number of events thatis provided using a color or shade; the color or shade may be applied toeach intersection according to a linear scale; the color or shade may beapplied to each intersection according to a logarithmic scale; the coloror shade may be applied to each intersection according to an exponentialscale; the color or shade may be applied to each intersection accordingto a rank assigned to that intersection based on the correspondingnumber of events; the color or shade may be applied to each intersectionacross each individual row, each individual column, a subset of rows andcolumns selected by the user, or all displayed rows and columns of thevisualization; the method may further include steps of receiving inputfrom the user specifying a time granularity via the graphical userinterface, the graphical user interface including a control element forenabling the user to vary the time granularity, and adjusting a durationof time covered by each of the plurality of time slots based on thereceived time granularity; the method may further include steps ofreceiving user input selecting a header portion of a column in the setof columns of the visualization and sorting the set of rows in ascendingor descending order according to the number of events including thevalue corresponding to each row in the set of rows, based on thereceived user input; the visualization may include a statistics tabledisplaying a set of statistics calculated for each unique value in theset of unique values for the field, and the set of statistics iscalculated based on the identified subset of events for each uniquevalue; the visualization provided to the user may be a heat mapindicating variations in an event count representing the one or moreevents coinciding with each of the plurality of time slots over theselected time range for each of the unique values of the specifiedfield; and the graphical user interface may enable the user to reordereach of the set of rows by using a drag and drop gesture with a userinput device.

In another embodiment, a system may include a memory havingprocessor-readable instructions stored therein and a processorconfigured to access the memory and execute the processor-readableinstructions, which, when executed by the processor, configures theprocessor to perform a plurality of functions, including functions to:receive an input from a user via a graphical user interface, where theinput may specify a field and a time range; identify events within themachine data based on the input received from the user, where each eventin the identified set occurring within the time range and including avalue for the specified field; determine a set of unique values for thefield from the identified set of events; for each unique value in theset of unique values, identify a subset of events including that uniquevalue for the field, each event in the identified subset having atime-stamp coinciding with one of a plurality of time slots within thetime range; and provide a visualization of events from each of thesubset of events identified for each unique value of the field withinthe time range, where the visualization displays a set of rowsintersecting with a set of columns, each row corresponds to one uniquevalue in the set of unique values, each column corresponds to one of theplurality of time slots, and each intersection of a row and a columnprovides an indication of a number of events including the unique valuecorresponding to the row and having time-stamps coinciding with the timeslot corresponding to the column.

Various embodiments of the system may include one or more of thefollowing features: the events may be derived at least in part frommachine data; the events may be derived at least in part from log filesgenerated by one or more servers; the indication of the number of eventsmay be an absolute or relative indication of the number of events thatis provided using a color or shade; the color or shade may be applied toeach intersection according to a linear scale; the color or shade may beapplied to each intersection according to a logarithmic scale; the coloror shade may be applied to each intersection according to an exponentialscale; the color or shade is applied to each intersection according to arank assigned to that intersection based on the corresponding number ofevents; the color or shade may be applied to each intersection acrosseach individual row, each individual column, a subset of rows andcolumns selected by the user, or all displayed rows and columns of thevisualization; the processor may be further configured to receive inputfrom the user specifying a time granularity via the graphical userinterface, the graphical user interface including a control element forenabling the user to vary the time granularity, and adjust a duration oftime covered by each of the plurality of time slots based on thereceived time granularity; the processor may be further configured toreceive user input selecting a header portion of a column in the set ofcolumns of the visualization, and sort the set of rows in ascending ordescending order according to the number of events including the valuecorresponding to each row in the set of rows, based on the received userinput; the visualization may include a statistics table displaying a setof statistics calculated for each unique value in the set of uniquevalues for the field, and the set of statistics is calculated based onthe identified subset of events for each unique value; the visualizationprovided to the user may be a heat map indicating variations in an eventcount representing the one or more events coinciding with each of theplurality of time slots over the selected time range for each of theunique values of the specified field; and the graphical user interfacemay enable the user to reorder each of the set of rows by using a dragand drop gesture with a user input device.

In a further embodiment, a computer readable medium includes storedinstructions that, when executed by a computer, cause the computer toperform functions to: receive an input from a user via a graphical userinterface, where the input may specify a field and a time range;identify events within the machine data based on the input received fromthe user, where each event in the identified set occurring within thetime range and including a value for the specified field; determine aset of unique values for the field from the identified set of events;for each unique value in the set of unique values, identify a subset ofevents including that unique value for the field, each event in theidentified subset having a time-stamp coinciding with one of a pluralityof time slots within the time range; and provide a visualization ofevents from each of the subset of events identified for each uniquevalue of the field within the time range, where the visualizationdisplays a set of rows intersecting with a set of columns, each rowcorresponds to one unique value in the set of unique values, each columncorresponds to one of the plurality of time slots, and each intersectionof a row and a column provides an indication of a number of eventsincluding the unique value corresponding to the row and havingtime-stamps coinciding with the time slot corresponding to the column.

In yet a further embodiment, a computer readable medium includes storedinstructions that, when executed by a computer, cause the computer toperform functions to: display a graphical user interface enabling a userto specify a field and a time range; receive through the graphical userinterface a selection of the field and the time range; identify a set ofevents for which the field has been defined and that are stored in atime series data store, and that have associated time-stamps fallingwithin the time range; determine a set of unique values for the field inthe events; for each unique value in the set of unique values, determinea number of events having that unique value for the field and having atime-stamp falling within each of a set of time slots within the timerange; display a set of rows, each corresponding to one of the uniquevalues, wherein each row contains a set of columns, each columncorresponding to one of the time slots; and for a set of heat map boxesat intersections between a row and a column, provide an absolute orrelative indication of the number of events having a value correspondingto the row and a time-stamp falling within the time slot correspondingto the column.

It may be understood that both the foregoing general description and thefollowing detailed description are exemplary and explanatory only andare not restrictive of the invention, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of this specification, illustrate exemplary embodiments of thepresent disclosure and together with the description, serve to explainthe principles of the disclosure.

FIG. 1 shows a high-level block diagram of an exemplary enterprisenetwork environment.

FIG. 2 shows a high-level block diagram of an exemplary data intake andquery system for indexing and storing data collected from multiplesources.

FIG. 3 illustrates a process flowchart of an exemplary method forsegmenting and storing events derived from data collected from variousdata sources.

FIG. 4A illustrates a process flowchart of an exemplary method forproviding a visualization of a count of events having values for aspecified field in different time periods over a selected time range,where the events may have been derived from collected data including,e.g., machine data.

FIG. 4B illustrates a process flowchart of an exemplary method forgenerating a visualization of events having values for the specifiedfield in FIG. 4A.

FIG. 4C illustrates a process flowchart of an exemplary method forexecuting a query for a set of events that may be derived from data.

FIG. 5A illustrates an exemplary graphical user interface (GUI) fordisplaying a value table and a heat map visualization of events havingvalues for a categorical field over a selected time range, where theevents may have been derived from collected machine data.

FIG. 5B illustrates an exemplary user control element of the GUI shownin FIG. 5A for displaying additional information related to eventshaving values for the categorical field during a selected time slotallocated within the selected time range.

FIG. 5C illustrates an exemplary format control element of the GUI shownin FIG. 5A for providing a user with various formatting options tocustomize the heat map visualization for the categorical field over thetime range.

FIG. 6A illustrates an exemplary logarithmic scale of a color gradientthat may be used for displaying the heat map visualization via the GUIof FIG. 5A.

FIG. 6B illustrates an exemplary exponential scale of a color gradientthat may be used for displaying the heat map visualization via the GUIof FIG. 5A.

FIG. 7 illustrates another exemplary GUI for displaying a heat mapvisualization of events having values for a categorical field over atime range.

FIG. 8 illustrates another view of the exemplary GUI of FIG. 7 fordisplaying a visualization of all values for the categorical field overthe time range.

FIGS. 9A-9C illustrate detailed views of various time range controlelements of the GUI shown in FIG. 7 .

FIG. 10A illustrates an exemplary GUI for displaying a visualization ofvalues for a numerical field over a time range.

FIG. 10B illustrates another view of the exemplary GUI of FIG. 10A fordisplaying a visualization of the numerical field's values over the timerange, where the displayed values are separated according to values foranother selected field.

FIGS. 11A-11D illustrate different views of an exemplary GUI fordisplaying a visualization of values of a field over a time range.

FIG. 12 illustrates an exemplary computer system in which embodiments ofthe present disclosure may be implemented. The present invention isdescribed in detail below with reference to the attached drawingfigures, wherein:

DETAILED DESCRIPTION Overview

The present disclosure relates to systems and methods for visualizingvalues over time of a field identified in events that may be derivedfrom data including, e.g., machine data. In an example, data generatedby various data sources is collected and segmented into discrete events,each event corresponding to data from a particular point in time.Examples of such data sources include, but are not limited to, webservers, application servers, databases, firewalls, routers, operatingsystems, software applications executable at one or more computingdevices within the enterprise data system, mobile devices, and sensors.The types of data generated by such data sources may be in various formsincluding, for example and without limitation, server log files,activity log files, configuration files, messages, network packet data,performance measurements or metrics, and sensor measurements. The datasources may be associated with, for example, an enterprise data systemdistributed across a network environment. The events, which may bederived from indexing or segmenting the machine data or other datagenerated by these data sources, may be used to provide search and dataanalysis functionality to a user of the enterprise data system, e.g., adata analyst or systems engineer interested in gaining a betterunderstanding of the performance and/or security of an enterpriseorganization's information technology (IT) infrastructure. As will bedescribed in further detail below, such functionality may include thevisualization of events and values for a specified field that may beextracted from the events occurring during a given time period. In someembodiments, the visualization may be of a count or other statistic forvisualizing the occurrence over time of events, by a plurality of uniquevalues for the specified field. For example, the visualization mayrepresent how many times events having each of the unique values for thespecified field occurred during each of a plurality of time slotsextending over the given time period.

While the present disclosure is described herein with reference toillustrative embodiments for particular applications, it should beunderstood that embodiments are not limited thereto. Other embodimentsare possible, and modifications can be made to the embodiments withinthe spirit and scope of the teachings herein and additional fields inwhich the embodiments would be of significant utility.

It would also be apparent to one of skill in the relevant art that thepresent disclosure, as described herein, can be implemented in manydifferent embodiments of software, hardware, firmware, and/or theentities illustrated in the figures. Any actual software code with thespecialized control of hardware to implement embodiments is not limitingof the detailed description. Thus, the operational behavior ofembodiments will be described with the understanding that modificationsand variations of the embodiments are possible, given the level ofdetail presented herein.

In the detailed description herein, references to “one embodiment,” “anembodiment,” “an example embodiment,” etc., indicate that the embodimentdescribed may include a particular feature, structure, orcharacteristic, but every embodiment may not necessarily include theparticular feature, structure, or characteristic. Moreover, such phrasesare not necessarily referring to the same embodiment. Further, when aparticular feature, structure, or characteristic is described inconnection with an embodiment, it is submitted that it is within theknowledge of one skilled in the art to effect such feature, structure,or characteristic in connection with other embodiments whether or notexplicitly described.

In an embodiment, “time-series data” and “time-series machine data” mayinclude, among other things, a series or sequence of data pointsgenerated by one or more data sources or computing devices. Each datapoint may be associated with a time-stamp or be associated with aparticular point in time that provides the basis for a time-stamp forthe data point, and the series of data points may be plotted over a timerange or time axis representing at least a portion of the time range.The data can be structured, unstructured, or semi-structured and cancome from files, directories, and/or network events. Unstructured datamay refer to data that is not organized according to, for example, apredefined schema to facilitate the extraction of values or fields fromthe data. Machine data generated by, for example, data sources within anenterprise network environment is generally unstructured data. As willbe described in further detail below, the visualization of suchtime-series data may be used to display statistical trends over time.The time-series machine data collected from a data source may besegmented or otherwise transformed into discrete events, where eachevent can be associated with a time-stamp.

In an embodiment, an “event” may include, among other things, a singlepiece of data corresponding to a time-stamped record of activityassociated with a particular data source. Such an event may correspondto, for example, a record in a log file or other data input. In someinstances, a single event may correspond to a single line in a log fileor other data input. However, some inputs may have multiline events, forexample, XML logs, and some inputs may have multiple eventscorresponding to a single line or record within the log file. Further,“events” may include, among other things, all of the events that may bederived from processing or indexing machine data, as will be describedin further detail below. Events can also correspond to any time-seriesdata, such as performance measurements of an IT component (e.g., acomputer cluster, node, host, or virtual machine), or a sensormeasurement including, but not limited to, sensor data from anaccelerometer, gyroscope, digital compass, barometer, location data froma Global Positioning System (GPS) or other type of sensor or device usedfor location determination (e.g., Wi-Fi, cell-10, and data from aRadio-Frequency Identification (RFID) reader, Near Field Communication(NFC) reader, or the like. The execution of a query or search for a nameor keyword within the various stored events, or for events whose valuesfor various fields meet various criteria, or for events occurring atparticular times, may produce one or more events responsive to theparticular query.

In an embodiment, a “field” may include, among other things, anysearchable name/value pair that may appear within the events derivedfrom data, such as machine data. In an example, a data intake and querysystem within an enterprise network environment may be configured toautomatically extract certain fields from the events upon beingsegmented, indexed, or stored. A field may be defined by a user at anytime to enable the representation of the occurrence of events containingvalues for that user-defined field. A field also may correspond tometadata about the events, such as a time-stamp, host, source, andsource type for an event. Such metadata fields may, in some cases, bereferred to as “default fields,” based on the fields being derived forall events at the time of segmenting, indexing, and/or storing of theevents within one or more data stores, as will be described in furtherdetail below. Values for these and other fields, such as user-definedfields, may be extracted from the events themselves or determined for aparticular event from other sources related to the event, e.g.,interpolated or extrapolated based on values for the same field includedwithin other events occurring within a series of events including theparticular event in question. Also, user-specified fields may beextracted from the events at either index time, storage time, or searchtime, e.g., upon the execution of a search or query for events matchingcertain user-specified criteria. In some implementations, tags oraliases may be assigned to any field/value combination, for example, inorder to identify fields with different names that contain equivalentpieces of information.

Exemplary Embodiments

FIG. 1 shows a high-level block diagram of an exemplary enterprisenetwork environment 100. As shown in FIG. 1 , network environment 100includes a client 105, a client device 110, a user 115, a user device120, a data intake and query system 145, and a visualization system 150,each of which may be communicatively coupled to each other via, e.g., anetwork 140. Although only client device 110, user device 120, dataintake and query system 145, and visualization system 150 are shown inFIG. 1 , it should be noted that network environment 100 may include anyadditional devices or component systems as desired for a particularimplementation.

In the example shown in FIG. 1 , each of client device 110 and userdevice 120 may be any type of computing device having at least oneprocessor and a memory for storing processor-readable instructions anddata. Examples of such computing devices include, but are not limitedto, a desktop or personal computer, a laptop computer, a netbookcomputer, a tablet, and a hand-held electronic device, e.g., asmartphone or other type of mobile computing device. However, clientdevice 110 and/or user device 120 may be implemented using a system thatincludes multiple devices and/or components.

Similarly, data intake query system 145 and visualization system 150 maybe implemented using one or more computing devices. In an example, dataintake and query system 145 and visualization system 150 may beimplemented using one or more servers. Such a server may include, but isnot limited to, a web server, a data server, a proxy server, a networkserver, or other type of server configured to provide data services orexchange electronic information with other servers and other types ofcomputing devices (e.g., client device 110 and user device 120) vianetwork 140. Such a server may be implemented using any type of generalpurpose computer that includes, for example and without limitation, atleast one processor and a memory for executing and storingprocessor-readable instructions. The memory may include any type ofrandom access memory (RAM) or read-only memory (ROM) embodied in aphysical storage medium, such as magnetic storage including floppy disk,hard disk, or magnetic tape; semiconductor storage such as solid statedisk (SSD) or flash memory; optical disc storage; or magneto-opticaldisc storage. Software may include one or more applications and anoperating system. Hardware can include, but is not limited to, aprocessor, memory, and a display (e.g., for displaying a graphical userinterface). Such a server may also be implemented using multipleprocessors and multiple shared or separate memory devices within, forexample, a clustered computing environment or server farm.

In some implementations, data intake and query system 145 andvisualization system 150 may be communicatively coupled to each othervia a direct or indirect connection within, for example, a privatenetwork that may be accessible through a firewall via network 140.Further, data intake and query system 145 and visualization system 150may be implemented as components of a single, integrated data managementsystem, e.g., at a server (not shown) within enterprise networkenvironment 100. Alternatively, data intake and query system 145 orvisualization system 150 may be implemented as separate components of adistributed system including various computing devices communicativelycoupled to one another via network 140. Alternatively, the functionalityof some or all of the visualization system 150 could be included insoftware running on the client device 110 or user device 120.

Network 140 may be any type of electronic network or combination ofnetworks used for communicating digital content and data between variouscomputing devices. Network 140 may include, for example, a local areanetwork, a medium area network, or a wide area network, such as theInternet. In addition, network 140 can include, but is not limited to, awired (e.g., Ethernet) or a wireless (e.g., Wi-Fi, 3G, or 4G) network.Network 140 can support any of various protocols and technologyincluding, but not limited to, Internet protocols and/or data services.While not shown in FIG. 1 , network 140 may include one or moreswitches, firewalls, routers, gateways, or other types of intermediatenetwork devices used to facilitate communication between variouscomputing devices of network environment 100.

While not shown in FIG. 1 , network environment 100 may also include oneor more data stores or repositories for storing machine data and otherdata collected from various data sources, as described above. As will bedescribed in further detail below, the collected machine data and otherdata may be indexed and/or segmented by data intake and query system 145into a set of time-stamped events representing, for example, operations,transactions, records, measurements, or readings generated at each datasource over a period of time. In an example, one of the data sources maybe a web server, and the time-stamped events may correspond to entrieswithin a log file generated by the web server over a given time period.The events in this example may correspond to, for example and withoutlimitation, requests and responses related to web content to and fromthe web server and one or more computing devices associated withend-users of a service provided by the web server, e.g., via one or moreweb pages that may be loaded into a web browser executable at eachend-user's device. The requests and responses may be in the form of, forexample and without limitation, standard Hypertext Transfer Protocol(HTTP) requests and responses between the web server and each end-user'sdevice. Other examples of events that may be derived from log files orother types of machine data generated by a data source include, but arenot limited to, the execution of a program or script, a fault exception,an unhandled interrupt, and any security threats or other potentialissues detected during the period of time. Further, an individual eventmay be derived from machine data corresponding to, for example, a singleline of machine data within an activity log, multiple lines of machinedata, a whole document, an entire configuration file, or a completestack trace generated by the data source. Additional characteristics andfeatures of data intake and query system 145 will be described infurther detail below with respect to FIG. 2 .

In an example, client 105 and user 115 may be users of a clientapplication executable at client device 110 and user device 120,respectively. Client 105 may be, for example, a data analyst or systemsengineer within an IT department of an enterprise organization, whileuser 115 may be, for example, a non-technical user within a businessoperations or marketing department of the enterprise organization. Theclient application executable at each device may enable client 105 anduser 115 to interact with data intake and query system 145 and/orvisualization system 150 for obtaining and analyzing different values ofa machine data field over a selected time range, as will be described infurther detail below. The client application may provide client 105 anduser 115 with an interface for accessing the functionality provided by adata management system, e.g., including data intake and query system 145and visualization system 150 of network environment 100. The interfacemay be, for example, a GUI and/or an application programming interface(API), for enabling client 105 and user 115, or the client applicationexecutable at each of client device 110 and user device 120,respectively, to access the functionality provided by data intake andquery system 145 or visualization system 150. It should be noted that insome implementations client 105 or user 115 may be an application, aservice, utility, script or program written in any of various scriptinglanguages, which may be configured to programmatically interface withthe client application executable at client device 110 or user device120, respectively.

While not shown in FIG. 1 , it should be further noted that in otherimplementations, visualization system 150 may be implemented as acomponent of the client application installed and executable at each ofclient device 110 and user device 120. In an example, client 105 anduser 115 may use the client application executable at their respectivedevices to generate queries for events based on various criteria thatmay be specified by client 105 and user 115 via a GUI of the clientapplication. The client application in this example may interact with asearch interface to submit queries for events including a user-specifiedfield and occurring within a particular time range of interest. Variousvisualizations of the query results may be displayed to client 105 anduser 115 via the same or different GUI of the client application atclient device 110 and user device 120, respectively.

In a further example, user 115 can utilize visualization system 150 orinterface thereof provided via the client application executable at userdevice 120, as described above, in order to view the absolute andrelative timings of events with respect to different values of aspecified field over a selected time range. As will be described infurther detail below, a visualization of events including each of aplurality of field values over time may be provided to the user via aGUI of the client application. The GUI may, for example, allow the userto select a desired time range for the visualization of events occurringat various points during the time range. The time range may be any timeperiod of interest including, but not limited to, minutes, hours, days,weeks, months, years, or a custom time range within any one or acombination of the preceding time periods. In one embodiment, the timerange may be defined by the scope of the events represented in an entirevisualization. Although the present disclosure describes a userselection of a time range for limiting the scope of events visualized,it should be appreciated that in some embodiments, the time range forthe visualization may be based on the time-stamps of the events derivedfrom the collected machine data or other data and stored within the datastore(s), as described above.

The GUI may also allow the user to select a time granularity forspecifying the duration of each of a plurality of time slots within thetime range, to better represent the various times during which eventsoccur during the time range. Thus, the time granularity may be used todefine the unit or duration of time covered by each time slot over theselected time range of interest. In some implementations, the durationof the time slots over the user-selected time range can be apportionedautomatically without user input, e.g., based on a predefined timegranularity. By way of example, if the time range is the past day (e.g.,yesterday, or a preceding period of 24 hours), the time granularity maybe set either automatically or by the user to 30-minute increments,thereby creating forty-eight 30-minute time slots visualized over thetime range. If the time range is the past week, the time granularity maybe set automatically or by the user to 12-hour increments, therebycreating fourteen 12-hour time slots visualized over the time range.

In an example, the visualization may be in the form of a heat mapincluding a tiled or tessellated matrix of a set of rows and a set ofcolumns, in which each of the unique values for the specified field maycorrespond to different rows of events, and each of the plurality oftime slots for the events in each row may correspond to differentcolumns of the heat map, as will be described in further detail below.The selected time range in this example may define a visible time rangeincluding the plurality of time slots displayed along a time axis of thevisualization within a content viewing area or visualization window ofthe GUI. Thus, the visualization for each value of a specified fieldalong the axis may be displayed as, for example, a row ofequally-distributed time slots or “buckets” indicating the number ofevents occurring for each value of the specified field over the visibletime range. Each time slot or bucket in this example may be used toindicate to the user that one or more events including a particularfield value occurred at a particular point in time coinciding with theindividual unit or duration of time represented by the time slot orbucket. In one embodiment, each time slot or bucket may be referred to,or considered to be, an “intersection” of a row corresponding to aunique one of the field values and a column corresponding to a uniqueone of the time slots. Alternatively, each time slot or bucket may bereferred to, or considered to be, a “cell” of a table having a temporaldistribution along one of the table's column and row headers, and afield value distribution over the other of the column and row headers.Also, as will be described in further detail below, the visualization ofa bucket or time slot may vary according to the number of eventsassociated with the bucket or time slot, e.g., by varying a gradient ofthe color or shade used to display the individual time slots or bucketswithin the visible time range.

In an example, the number of events (or event count) associated witheach bucket or time slot for a particular field value may be based onthe results of a query for events including the field value and having atime-stamp coinciding with the particular time slot within the selectedtime range. In some implementations, such a query may be generateddynamically by the data management system, e.g., in response to thereceipt of user input specifying the field via the GUI. The criteria forthe query may be based on, for example, the type of field or fieldvalues, as will be described in further detail below. Further, eachquery may include one search command or a series of search commands,e.g., in the form of a pipelined query or search pipeline, to beexecuted by a search head (e.g., search head 225 of FIG. 2 , as will bedescribed in further detail below) of the data management system. In anexample, the various commands of such a search pipeline may be separatedby a special operator or “pipe character” (e.g., “I”) and the output orresult of one command (e.g., to the left of the pipe character) mayserve as the input to the next command (e.g., to the right of the pipecharacter). The search query in this example may be, for example, asingle query (e.g., a pipelined query), which may be used to retrieveall events that occur within a given time range and that include a valuefor a given field of interest. Accordingly, the results obtained fromexecuting this query may be used to identify all the different uniquevalues for a given field of interest, all the events within the timerange that include these values, and the particular points in time whenthese events occurred during the time range.

FIG. 2 shows a high-level block diagram of an exemplary data intake andquery system 145 for indexing time-series machine data collected fromone or more data sources including, for example, any of sources 205 a,205 b, and 205 c. As shown in FIG. 2 , system 145 may include forwarders210 a and 210 b that collect data from sources 205 a, 205 b, and 205 cand forward the data to indexers 215 a, 215 b, and 215 c. However, itshould be noted that system 145 could include a greater or fewer numberof forwarders and/or indexers, as desired for a particularimplementation. Further, system 145 may collect and process machine dataor other data from any number of data sources, including additional datasources (not shown) that may be communicatively coupled to forwarder 210a or forwarder 210 b or to one or more additional forwarders (not shown)that may be included in system 145. In an example, forwarder 210 a maycollect and forward streams of time-series machine data or other datagenerated by sources 205 a and 205 b to one or more of indexers 215 a,215 b, and 215 c. Similarly, forwarder 210 b may collect and forward thetime-series machine data generated by source 205 c. It should be notedthat the components of system 145, including forwarders 210 a and 210 b,indexers 215 a, 215 b, and 215 c, and/or search head 225, may beimplemented at a single server or across multiple servers or computingdevices that are communicatively coupled in a distributed networkenvironment (e.g., servers within a server farm).

Data sources 205 a, 205 b, and 205 c may include computers, routers,databases, operating systems, and applications. Each of data sources 205a, 205 b, and 205 c may generate one or more different types of machinedata including, but not limited to, server logs, activity logs,configuration files, messages, database records, and the like. Themachine data or other data produced by data sources 205 a, 205 b, and205 c may arrive at forwarder 210 a or forwarder 210 b as, for example,a series of time-stamped records of relevant activities or operationsoccurring at each data source over time. Further, such time-seriesmachine data may be collected by forwarder 210 a or 210 b in real-time,e.g., as a real-time data stream or feed to which forwarder 210 a or 210b may be subscribed. Alternatively, the machine data may be collected orretrieved by forwarder 210 a or 210 b from each data source at periodictime intervals.

In the example shown in FIG. 2 , indexers 215 a, 215 b, and 215 c mayreceive the collected machine data from forwarders 210 a and 210 b andprocess the data into events. The events may be searchable and indexedto allow for fast keyword searching. At any time, a schema defining oneor more fields within the events may be generated. After generation ofthe schema, a subsequent search may utilize each field that is definedby specifying search criteria relating to values for that field. Theextraction of a value for a field from an event may occur at eitherindex time, storage time, or search time. For field extraction at searchtime, the schema may be referred to as a “late-binding schema,” as willbe described in further detail below. The indexed events may be storedwithin one or more of data stores 220 a, 220 b, and 220 c. As shown inFIG. 2 , system 145 may also include a search head 225 for searchingevents, and any searches may include criteria for selection of eventsand any already defined fields included in the events that are storedwithin data stores 220 a, 220 b, and 220 c. Each of data stores 220 a,220 b, and 220 c may be implemented using any type of recording mediumfor storing different types of data accessible to indexers 215 a, 215 b,and 215 c and search head 225. In some implementations, search head 225may search events and fields in real-time, without having to access datastores 220 a, 220 b, or 220 c. For example, search head 225 may receivereal-time streams of indexed event data directly from indexers 215 a,215 b, and 215 c. In an example, indexers 215 a, 215 b, and 215 c, datastores 220 a, 220 b, and 220 c, and search head 225 may representdifferent parts of a distributed network environment (e.g., enterprisenetwork environment 100 of FIG. 1 , as described above) for indexing,storing, and searching events derived from machine data and other data(e.g., mobile or network data) collected from data sources 205 a, 205 b,and 205 c. As will be described in further detail below with respect tothe exemplary method of FIG. 3 , search head 225 in this example mayserve as a centralized search manager or module for handlingsearch-related functions including, but not limited to, directing searchrequests to a set of search peers, e.g., indexers 215 a, 215 b, and 215c, and then, merging the results from each search peer for display tothe user. Accordingly, search head 225 may be implemented using, forexample, a centralized server communicatively coupled to indexers 215 a,215 b, and 215 c and data stores 220 a, 220 b, and 220 c via a network(e.g., network 140 of FIG. 1 , as described above) within thedistributed network environment (e.g., enterprise network environment100 of FIG. 1 ). In one embodiment, the search head may request thateach of the various distributed indexers, in parallel, find relevantpartial search results responsive to the query, and to return thoseresults to the search head. The search head may aggregate the receivedpartial results to determine a final results set for producing a list ofevents or visualization of events for display at or to the client. Inone embodiment, the assignment of parallel processing of searches to thevarious distributed indexers on their partial event stores may bereferred to as a “map-reduce” process.

As noted above, the components of system 145, including forwarders 210 aand 210 b, indexers 215 a, 215 b, and 215 c, and/or search head 225, maybe implemented at a single server or across multiple servers orcomputing devices that are communicatively coupled in a distributednetwork environment. For example, each component may be implementedusing a different computing device having at least one processor, amemory, and a network communications interface. Similarly, data stores220 a, 220 b, and 220 c may be implemented using separate data storagedevices that may be accessible to the other components of system 145 viaa network (e.g., network 140 of FIG. 1 , as described above). In someimplementations, data stores 220 a, 220 b, and 220 c may be coupled toor integrated with indexers 215 a, 215 b, and 215 c, respectively, andthe stored data within data stores 220 a, 220 b, and 220 c may be madeaccessible to search head 225 via an interface provided by each ofindexers 215 a, 215 b, and 215 c, respectively.

Additional details of the features and operations of system 145,including forwarders 210 a and 210 b, indexers 215 a, 215 b, and 215 c,data stores 220 a, 220 b, and 220 c, and search head 225, will bedescribed below with respect to FIG. 3 . Furthermore, the systems andtechniques disclosed herein, including with respect to data intake andquery system 145 of FIGS. 1 and 2 and the exemplary methods of FIGS. 3and 4A-4C, as will be described below with reference to FIGS. 1 and 2 ,are further discussed and elaborated upon in the following references:Carasso, David. Exploring Splunk Search Processing Language (SPL) Primerand Cookbook. New York: CITO Research, 2012; and Ledion Bitincka,Archana Ganapathi, Stephen Sorkin, and Steve Zhang. Optimizing dataanalysis with a semi-structured time series database. In SLAML, 2010.Each of these references is incorporated herein by reference in itsentirety.

FIG. 3 illustrates a process flowchart of an exemplary method 300 forsegmenting and storing events derived from machine data or other datacollected from various data sources. While method 300 will be describedusing data intake and query system 145, as shown in the above-describedexamples of FIGS. 1 and 2 , it should be noted that method 300 is notintended to be limited thereto. In an example, the steps of method 300may be performed by indexers 215 a, 215 b, and 215 c of FIG. 2 , asdescribed above. Although the principles of the present disclosurecontemplate that steps of method 300 may be performed in the orderdepicted in FIG. 3 , it should be appreciated that one or more of thesesteps may be performed in a different order or may be omittedaltogether. Furthermore, it should be appreciated that method 300 mayinclude additional steps than those shown in FIG. 3 , e.g., as desiredor needed for a particular implementation.

Method 300 begins in step 305, which includes receiving data generatedby one or more sources, e.g., sources 205 a, 205 b, and 205 c of FIG. 2, as described above. The generated data may be machine data (e.g., logfiles) or other computer, network, and/or mobile device data including,but not limited to, measurements relating to the performance of an IT ornetwork infrastructure component (e.g., a computer cluster, host, node,or virtual machine) or those captured by a sensor device within adistributed network environment (e.g., enterprise network environment100 of FIG. 1 , as described above). The data may be received from oneor more forwarding devices or forwarders (e.g., forwarders 210 a and 210b of FIG. 2 ). In step 310, the received data is segmented ortransformed into events. The events may be segmented according to one ormore event boundaries that may be found within the received data.Examples of such event boundaries include, but are not limited to,predefined characters or character strings. These may include certainpunctuation marks or special characters including, for example, carriagereturns, tabs, spaces, or line breaks. In some instances, eventboundaries may be discovered automatically by the software, and in otherinstances, they may be configured and/or predefined by the user.

A time-stamp may also be determined for each event in step 315. Thetime-stamp can be determined by any suitable means, including, e.g.,extracting a time field from data in an event or by interpolating thetime based on time-stamps extracted from other events occurring shortlybefore or after the event within a particular time frame of activityassociated with the same data source. In some implementations, thetime-stamp for an event may correspond to the time the event data wasreceived or generated. The time-stamp determined for each event isassociated with the event in step 320. For example, the time-stamp maybe stored as metadata for the event.

In step 325, the data included in a given event may be optionallytransformed. Such a transformation may include, for example, removingpart of an event (e.g., a portion used to define event boundaries) orremoving redundant portions of an event. A user or client may specify aportion to remove using a regular expression or other type of inputprovided via an interface of the data intake and query system describedherein.

Optionally, a keyword index can be generated to facilitate fast keywordsearching of events. To build such an index, method 300 may proceed tosteps 330 and 335. In step 330, a set of keywords or tokens includedwithin the events may be identified. In step 335, each identifiedkeyword or token may be added to a keyword index associating thekeyword/token with one or more events that each include thekeyword/token. In some implementations, the keyword index may include apointer for each keyword to the corresponding event(s) including thatkeyword (or locations within events where the particular keyword may befound). Alternatively, the keyword index may include some other type ofreference or indicator specifying how the events including each keywordmay be retrieved. When a keyword-based query is received by an indexer,the indexer may then consult this index to relatively quickly find thoseevents containing the keyword without having to examine again eachindividual event, thereby greatly accelerating keyword searches.

In step 340, the events are stored in one or more data stores (e.g.,data stores 220 a, 220 b, and 220 c of FIG. 2 ). The data also may bestored in a working, short-term, and/or long-term memory in order todecrease query execution time. The time-stamp may be stored along witheach event to help optimize searching the events by time range. In someimplementations, the time-stamps may be used to distribute the storeddata across a plurality of individual time slots, each of which maycorrespond to a storage location for events having time-stamps thatcoincide with the time slot. An event then can be associated with astorage location corresponding to a time slot representing a time periodthat is inclusive of the event's time-stamp. This may help optimizetime-based searches by allowing events with recent time-stamps that mayhave a higher likelihood of being accessed to be stored at preferablememory locations (such as flash memory instead of hard-drive memory)that lend to quicker subsequent retrieval.

Referring back to the example shown in FIG. 2 , data stores 220 a, 220b, and 220 c may be distributed across multiple indexers 215 a, 215 b,and 215 c, where each indexer may be responsible for storing andsearching a subset of the events generated by system 145. In someimplementations, the stored event data may be distributed among indexers215 a, 215 b, and 215 c so as to enable parallel searching of events inresponse to a query initiated by a user or client (e.g., user 115 orclient 105 of FIG. 1 ) within an enterprise network environment (e.g.,enterprise network environment 100 of FIG. 1 ). As will be described infurther detail below, partial query results returned by each of indexers215 a, 215 b, and 215 c may be combined by search head 225 in order toproduce a complete set of results in response to the user's query.

Also, as will be described in further detail below, a visualizationsystem (e.g., visualization system 150 of FIG. 1 , as described above)of the enterprise network environment may provide various GUIs enablingthe user to initiate different queries and receive a representation ofthe distribution of events that include a particular field and thevalues for that field in the events occurring over a selected timerange.

In an example, a set of default or predefined fields may be extractedfrom the event data at index time or storage time, e.g., by indexers 215a, 215 b, and 215 c. Other fields may be defined and included in theschema for the events at any time, up to and including search time.Examples of default fields or metadata that may be determined for eachevent include, but are not limited to, host, source, source-type, andtime (e.g., based on the time-stamp for the event), as described above.In another example, a value for a field may be extracted from an eventat search time, and the schema in this example may be referred to as alate-binding schema, as mentioned above and as will be described infurther detail below. The extraction rule for a field may include aregular expression (or “regex” or any other suitable expression) or anyother rule for how to extract a value from an event. In someimplementations, the visualization system may provide the user with aninteractive field extraction functionality via the GUI, which enablesthe user to create new custom fields. Additional details of the featuresand operations of the visualization system will be described below withrespect to FIGS. 4A and 4B.

FIG. 4A illustrates a process flowchart of an exemplary method 400A forproviding a visualization of values for a specified field in events thatmay be derived from data, e.g., machine data, and that occur during aselected time range. For purposes of discussion, method 400A will bedescribed using enterprise network environment 100 of FIG. 1 , includingvisualization system 150 of FIG. 1 and data intake and query system 145of FIGS. 1 and 2 , as described above. However, method 400A is notintended to be limited thereto. In an example, the steps of method 400Amay be performed by one or more components (e.g. visualization system150 and/or data intake and query system 145) of a data management systemwithin an enterprise network environment (e.g., enterprise networkenvironment 100). Although the principles of the present disclosurecontemplate that steps of method 400A may be performed in the orderdepicted in FIG. 4A, it should be appreciated that one or more of thesesteps may be performed in a different order or may be omittedaltogether. Furthermore, it should be appreciated that method 400A mayinclude additional steps than those shown in FIG. 4A, e.g., as desiredor needed for a particular implementation.

As shown in FIG. 4A, method 400A begins in step 405, which includesobtaining events from one or more data stores (e.g., one or more of datastores 220 a, 220 b, and 220 c of FIG. 2 , as described above). Asdescribed above, these events may be derived from collected datagenerated by one or more data sources (e.g., one or more of data sources205 a, 205 b, and 205 c of FIG. 2 ). The collected data may include, butis not limited to, machine data (e.g., in the form of web logs),performance measurements of an IT component, and/or sensor measurements.Also, as described above, the events may be segmented or transformedinto a series of time-stamped events, and then indexed (e.g., b/one ormore of indexers 215 a, 215 b, and 215 c of FIG. 2 ) and stored withinthe one or more data stores so as to enable searching of eventsoccurring within a time range by keyword, token, or name associated witha field whose values may be extracted from events including the field.The time range and field may be specified by a user via, for example,one or more GUIs of a client application executable at the user's device(e.g., client device 110 or user device 120 of FIG. 1 , as describedabove). The time range may be any period of time specified by the user.Alternatively, the time range may be based on, for example, the range oftime-stamps associated with the events obtained in step 405. In anexample, the selected time range may be based on user input received viaa GUI, e.g., the same or a different GUI from that provided in step 410for presenting the obtained event information to a user, e.g., for dataanalysis purposes.

In step 410, method 400A may further include providing a GUI forpresenting the obtained events to a user. The GUI in this example may beprovided to the user via, for example, a client application executableat the user's computing device (e.g., user device 120 of FIG. 1 , asdescribed above). In some implementations, the client application may bea web browser executable at the user's device, and the GUI may beprovided by the data management system as part of a web serviceaccessible to the user via a web page loaded within the web browser.Alternatively, the client application may be a standalone softwareapplication executable at the user's device for providing thevisualization functionality described herein.

In step 415, input may be received from the user via the GUI. Thereceived input may specify a field and a time range for displayingoccurrences of one or more events including the field during theselected time range. As described above, the field and the time rangemay be selected by the user via the same or different GUI provided bythe client application executable at the user's device. In an example,the field selected by the user may be extracted from the events atsearch time, e.g., at the time a query including one or more searchcommands (e.g., in a search pipeline) is executed for a late-bindingschema, as described above and as will be described in further detailbelow. Such a search-time field extraction may be based on, for example,a field definition or configuration specified by the user via aninteractive field extraction functionality accessible through the GUI,through regular expressions included within a configuration fileaccessible to the data intake and query system, or through a searchcommand provided as part of the query itself. In some implementations,the user may specify the field via an input control element provided bythe GUI, e.g., by selecting a desired field from a list of fieldsextracted from the events and prepopulated within a menu, dropdownwindow, or other type of control element for field selection, asprovided by the GUI for a particular implementation. The list of fieldsmay also include, for example, any default fields and/or user-definedfields that were extracted from the events at index and/or storage time.

Method 400A then proceeds to step 420, which may include identifyingevents occurring during the selected time range, where each eventincludes a value for the field and has a time-stamp that falls withinthe time range. In step 425, unique values for the specified field maybe determined from the identified events. In an example, thedetermination in step 425 may include extracting values for the fieldbased on a schema or definition of the field, which may be used toexecute queries for events including the field and occurring within thetime range. Each field in a schema may be defined for a subset of theevents in a data store and may specify how to extract a value from eachof the subset of events for which the field has been defined. Extractionrules for a field may be defined using, for example, a regularexpression, which may be associated with a logical type of informationthat is included within an event for which each rule is defined.

In some implementations, the data management system of the enterprisenetwork environment in this example may employ the specialized type ofschema, referred to herein as a “late-binding schema,” as notedpreviously. As alluded to above, such a late-binding schema may not bedefined or applied by the data intake and query system at the time ofindexing the collected data, as typically occurs with conventionaldatabase technology. Rather, in a system using late-binding schema, theschema can be developed on an ongoing basis up until the time it needsto be applied, e.g., at query time. In an example of a data intake andquery system (e.g., data intake and query system 145 of FIGS. 1 and 2 ,as described above) using a late-binding schema, the query may specify,for example, a search for events that have certain criteria defined bythe schema for specified fields and the events including such fields. Atsearch time, the values for the specified fields may be extracted andcompared to the search criteria. An advantage of such a late-bindingschema may include enabling a user, e.g., a data analyst, to performdata analysis in order to learn more about data included within eventsindexed from collected machine data, while also allowing the user tocontinue developing the schema until, for example, it is needed againfor executing a subsequent query to locate data within events.

In step 430, a visualization of events occurring during the time rangemay be provided for each unique value of the field. The visualizationprovided in step 430 may indicate, for example, the number of eventsoccurring at each of a plurality of time slots that are equallydistributed over the selected time range. As will be described infurther detail below, the size or duration of each time slot may bebased on, for example, a time granularity specified by the user via theGUI. As described above, the specified time granularity may be used todistribute the events identified in step 420 across a plurality ofbuckets or time slots over the selected time range, where each time slotmay correspond to the same unit, increment, or period of time within thetime range, as displayed along a time axis for the visualization. Thus,for each unique value of the specified field, each identified eventincluding that value for the specified field and occurring within thespecified time range based on its time-stamp may be assigned to anappropriate time slot within the time range. The unit or period of timefor each time slot may be, for example, a predetermined number ofseconds, hours, days, weeks, etc. An example of such a visualization isshown in FIG. 5A and will be described in further detail below.

FIG. 4B illustrates a process flowchart of an exemplary method 400B forgenerating a visualization of values for the specified field in FIG. 4A,e.g., as described above with respect to step 430 of method 400A.Although the principles of the present disclosure contemplate that stepsof method 400B may be performed in the order depicted in FIG. 4B, itshould be appreciated that one or more of these steps may be performedin a different order or may be omitted altogether. Furthermore, itshould be appreciated that method 400B may include additional steps thanthose shown in FIG. 4B, e.g., as desired or needed for a particularimplementation. Like method 400A, method 400B will be described usingenterprise network environment 100 of FIG. 1 , including visualizationsystem 150 of FIG. 1 and data intake and query system 145 of FIGS. 1 and2 , as described above, for purposes of discussion only, and method 400Bis not intended to be limited thereto.

Method 400B may begin in step 435, which may include identifying a setof events including values for a specified field and occurring within aselected time range. As described above, the field and the time rangemay be based on input received from a user (e.g., at step 415 of method400A of FIG. 4A). For example, the user input may be received via, forexample, a GUI of a client application executable at the user's devicefor providing data analysis functionality to the user of a datamanagement system within an enterprise network environment (e.g.,enterprise network environment 100 of FIG. 1 ), as described above.Alternatively, the field and/or time range may be determinedautomatically or by default.

In one exemplary embodiment, the events may be identified in step 435 byexecuting a query for events including the particular field. Asdescribed above, a set of events may be derived from data collected fromone or more data sources within an enterprise network environment (e.g.,enterprise network environment 100 of FIG. 1 , as described above) andprocessed by a data intake and query system (e.g., data intake and querysystem 145 of FIGS. 1 and 2 ) within the enterprise network environment.In some implementations, the data intake and query system may includemultiple indexers (e.g., indexers 215 a, 215 b, and 215 c of FIG. 2 )and multiple data stores (e.g., data stores 220 a, 220 b, and 220 c ofFIG. 2 ) distributed across the indexers. Each indexer may beresponsible for indexing and storing at least a portion of the set ofevents derived from the data collected from the data sources, asdescribed above. The indexers may also be utilized by a search head(e.g., search head 225 of FIG. 2 ) to execute the query (e.g., includinga series of search commands in a search pipeline) for events includingthe field value. By distributing the search process amongst the variousindexers, e.g., which may be able to search for events responsive to aquery in parallel, the search head can utilize the indexers to executethe query and obtain query results in a shorter amount of time. Itshould be noted that the indexers might use any conventional orproprietary search technique for executing the query. Also, as eachindexer may store only a portion of the entire set of events and thus,produce only a partial set of search results in response to the query,the search head (e.g., search head 225 of FIG. 2 ) may be configured tocombine the partial results from each indexer in order to form acomplete or final set of search results in response to the query, aswill be described in further detail with respect to FIG. 4C.

FIG. 4C illustrates a process flowchart of an exemplary method forperforming the event identification in step 435 of method 400B of FIG.4B by executing a query for events that include any of the valuesidentified for the specified field in step 435 of method 400B of FIG.4B, as described above. Also, as described above, the query may beexecuted by, for example, a search head (e.g., search head 225, asdescribed above), which may be part of a data management or data intakeand query system (e.g., data index and query system 145 of FIGS. 1 and 2) within the enterprise network environment (e.g., enterprise networkenvironment 100 of FIG. 1 ). Although the principles of the presentdisclosure contemplate that steps of this method may be performed in theorder depicted in FIG. 4C, it should be appreciated that one or more ofthese steps may be performed in a different order or may be omittedaltogether. Furthermore, it should be appreciated that this method mayinclude additional steps than those shown in FIG. 4C, e.g., as desiredor needed for a particular implementation.

As shown in step 436 of FIG. 4C, a search head may receive a query forevents including a value of the specified field. The query may be basedon, for example, input received from a user via a GUI or other interfaceof a client application executable at the user's device, as describedabove. In an example, the input from the user may be used by the clientapplication to generate a search request that is sent to the search headfor events including a particular field and/or a particular field/valuepair. In step 437, the search head may distribute the received query orsearch request to one or more distributed indexers (e.g., indexers 215a, 215 b, and 215 c of FIG. 2 , as described above). These indexers caninclude those with access to data stores having events responsive to thequery. The events may be indexed and stored within one or more datastores, e.g., data stores 220 a, 220 b, and 220 c of data intake andquery system 145 of FIG. 2 , as described above. For example, theindexers can include those with access to events with time-stamps withina part or all of a time period identified in the query. In step 438,each of the one or more indexers to which the query may be distributedsearches its data store for events responsive to the query. To determineevents responsive to the query, a searching indexer may find eventsspecified by the criteria in the query. Such criteria can include anindication that the events being queried have particular keywords orcontain a specified value or values for a specified field or fields. Asa late-binding schema may be used, as described above, extraction ofvalues from events based on the specified criteria may occur at the timethat the query is processed, e.g., as opposed to the time that themachine data is indexed, segmented, or stored in the form of events. Itshould be appreciated that, to achieve high availability and to providefor disaster recovery, events may be replicated in multiple data stores,in which case indexers with access to the redundant events would notrespond to the query by processing the redundant events. The indexersmay either stream the relevant events back to the search head or use theevents to calculate a partial result responsive to the query and sendthe partial result back to the search head. In step 439, the search headcombines all the partial results or events received from the parallelprocessing together to determine a final result responsive to the query.

Referring back to method 400B of FIG. 4B, in step 440, a set of uniquevalues for the field may be determined based on the identified set ofevents. For example, method 400B may include extracting all of thevalues for the specified field among all of the events identified instep 435, and de-duplicating the values to obtain a list or set ofunique values for the specified field. Method 400B may then proceed tosteps 445, 450, 455, 460, 465, and 470, some or all of which may beperformed for each unique value of the field.

In step 445, for each unique value, a subset of the events having avalue matching the unique value may be identified, where each event inthe identified subset has a time-stamp coinciding with one of aplurality of time slots within the time range, as described above. Also,as described above, the number of time slots and duration of each of thetime slots may be based on a predetermined time granularity or may bedetermined based on a time granularity set by the user via the GUI forthe visualization. Once the subset of events that include the particularunique value for the field is identified in step 445, the appropriatetime slot for each event in the identified subset may be identified instep 450, and in step 455, the identified time slot may be associatedwith the corresponding event in the identified subset. In someimplementations, an association between each event and the correspondingtime slot may be created programmatically using, for example, a memorypointer or other type of reference object linking the event to theappropriate time slot. Such a pointer or linking reference may beassociated with an instance of the event, e.g., as it is represented andstored within one or more data stores, e.g., data stores 220 a, 220 b,and 220 c of data intake and query system 145 of FIG. 2 , as describedabove.

Step 460 includes counting the number of events associated with eachtime slot, and calculating statistics based on the event count for eachof the time slots distributed across the selected time range. The eventcount may be used to determine a gradient for a color (or shade) in step465, which may be used for visualizing the time slots for each fieldvalue according to the corresponding event counts. A visualization ofthe calculated statistics and event count for each time slot over theselected time range is generated in step 470 based on the gradient, aswill be described in further detail below with respect to FIGS. 5A-11D.

FIG. 5A illustrates an exemplary GUI 500 for displaying a visualizationof values for a specified field in events falling within a selected timerange, as described above. GUI 500 may be provided within, for example,a client application executable at a user's device (e.g., user device120 of FIG. 1 ) for providing access to the data analysis functionalityof a data management system within an enterprise network environment(e.g., enterprise network environment 100 of FIG. 1 ), as describedabove. The visualization in the example shown in FIG. 5A is in the formof a heat map. However, it should be noted that the techniques disclosedherein are not intended to be limited thereto, and that any type ofvisualization of the values for a field may be provided to the user viaGUI 500.

As shown in FIG. 5A, GUI 500 includes a visualization window 510, avisualization control panel 520, and a value table 530. Visualizationwindow 510 may be used for presenting a view of the heat mapvisualization to the user in this example. The heat map visualizationmay be presented for a single field, e.g., as specified by the user viaa different GUI or control window (not shown) provided to the user viaGUI 500, where each row of the heat map is used to display the timing ofevents having the value corresponding to that row as their value for thefield. The heat map visualization provided within window 510 may be usedto graphically represent, for example, the event count distribution foreach value (i.e., shown in each row) in time slots across a selectedtime range, as described previously.

In the example shown in visualization window 510, the heat map displayedfor each row, which corresponds to a unique value for the selectedfield, may be divided into a plurality of individually colored or shadedboxes or regions, each representing a time slot or “bucket” and whosecolor or shade indicates the number of events having the value for thefield represented by that row and that have a time-stamp falling withinthe time slot, as described previously. The amount of time representedby each of the time slots or buckets in the heat map may be based on,for example, a time granularity specified by the user, e.g., based onuser input received via a time granularity control element of the GUI,as shown in FIG. 9C, which will be described in further detail below.Thus, each time slot or bucket shown in each row of the heat map may beused to indicate the event count or number of events that include theparticular field value and that occur at a time coinciding with the unitor period of time allocated to the time slot. A color gradient, shading,texture, or any other suitable visual indication may be used to indicatethe event count represented by a time slot or bucket in the heat map. Insome implementations, the visualization of each heat map box, e.g., eachsquare-shaped region, corresponding to a particular time slot or heatmap bucket may be adjusted according to its relative event count densitycompared to other heat map boxes in the entire heat map, the same row ofthe heat map, or the same column of the heat map. The size and shape ofeach box or region of the heat map may also indicate this relative eventcount density compared to other heat map boxes in the same row orcolumn. In an example, the size of visualized heat map boxes or regionscorresponding to relatively greater event counts densities (and thus,representing a larger number of event counts) may be relatively largerthan those heat map boxes/regions having relatively lower event countdensities. In an example, an outline or boundary may be visualized,e.g., as an overlay, surrounding particular heat map regions so as tohighlight or otherwise visually accentuate each region to the user as itis displayed within visualization window 510. As will be described infurther detail below, it should be noted that the relevant heat mapboxes or regions for the visualization may include, for example, thoseselected by the user via GUI 500, e.g., by manipulating one or morecontrol elements using a mouse or other type of user input device.

Various time-related controls may be provided to the user, as shown inFIGS. 9A-9C. In particular, FIG. 9B shows a segment 910 of a header rowdisplayed for the heat map visualization shown in FIG. 9A. As shown insegment 910 of FIG. 9B, the header row may be divided into a pluralityof time increments corresponding to the different time slots and columnsfor the heat map, as described above. In some implementations, the GUImay provide the user with a sort function that sorts all the rows(including both the rows of the value table 530 and the rows of window510 of FIG. 5A) based on increasing or decreasing counts for time slotsin a chosen column, where a given row's place after row sortingcorresponds to the count of events for the time slot in that row that isalso within the chosen column. All columns of the heat map visualizationmay be sortable. As shown in the example of FIG. 9B, the user may use amouse or other user input device to select a column corresponding to atime increment 915 in order to sort the rows based on the counts ofevents in time slots in the chosen column. The rows may be sorted ineither an ascending or descending order based on these counts. In afurther example, the GUI may enable the user to reorder the rows of theheat map visualization by using a drag and drop gesture with a userinput device, e.g., a mouse, other type of pointer device, or the user'sfinger for a touch gesture via a touch-screen display. For example, theuser may use the user input device to select one or more rowscorresponding to one or more values of the field within the heat mapvisualization and change the order of the heat map rows by dragging theselected row(s) from their original location to a desired destinationlocation within the heat map visualization.

FIG. 9C shows an exemplary time granularity control 920 including aslider control 925, which may be controlled by the user in order tochange the time granularity. However, it should be noted that control925 is not limited to a slider control and that any other type of usercontrol element suitable for enabling the user to change the timegranularity may be used to implement control 925. Examples of such othertypes of user controls include, but are not limited to, a menu control,a pop-up window, one or more checkboxes, one or more radio buttons, aspinner control, tabs, etc. Further, while not shown in FIGS. 9A-9C,additional controls, e.g., one or more date or time picker controls, maybe provided for enabling the user to select a desired time window ortime range (e.g., visible time range) of events to be represented by thevisualization provided in the GUI for each of the values of thespecified field. Examples of different time granularity options that maybe selected using control 925 include, but are not limited to, seconds,minutes, hours, days, weeks, and months. As shown in FIG. 9C, a controlelement 921 including information related to the particular timegranularity currently selected by the user may be displayed inconjunction with control 925. Control element 921 may be implemented as,for example, an informational tooltip within a window or dialog box(e.g., a “hover box”) displayed when the user selects or hovers aselection pointer over an appropriate portion of control 925 using amouse or other user input device.

Referring back to FIG. 5A, visualization control panel 520 of GUI 500may provide various controls enabling the user to configure or customizethe particular type of visualization presented within visualizationwindow 510. Value table 530 may include a plurality of rowscorresponding to the values identified for the specified field. Valuetable 530 may also include relevant statistics calculated from the eventcounts for time slots in the row corresponding to the statistics. Asshown in FIG. 5A, the various statistics that may be calculated anddisplayed for each row may include, for example and without limitation:a “Count” statistic indicating the total count of events in the selectedtime range in all the time slots of that row; “%” indicating thepercentage of events having the value for the field represented by agiven row that are covered in the visible time range as a percentage ofsuch events in the selected time range; “Avg” indicating the averagenumber of events per time slot or bucket within the row; “Min” forindicating the minimum number of events in any of the time slots orbuckets in the selected time range; and “Max” for the maximum number ofevents in any of the time slots or buckets in the selected time range.Those skilled in the relevant art would appreciate that any number ofother statistical calculations may be performed and displayed withinvalue table 530, as appropriate or desired for a particularimplementation. In some implementations, the user may select a “Min” or“Max” statistic displayed in table 530 for a particular field value,e.g., by using a mouse or other user input device to click or hover amouse/selection pointer over the statistic as it is displayed in table530, and the corresponding time slot or heat map square representing theminimum or maximum event count for the row may be highlighted orotherwise visually indicated to the user via GUI 500.

By enabling the user to view a visualization of the number of eventshaving various values for a field over time, GUI 500 may enable the userto notice patterns in the occurrence of values for a given field inevents. Such a visualization provided via GUI 500 may also allow theuser to find potential anomalies or useful patterns (e.g. periodicity)within a field's values, e.g., simply by viewing the visualizationpresented in visualization window 510. In an example, the user mightchoose to view the values for a “server status” field, which may includecategorical values of server responses (e.g., various HTTP status codes,such as 200, 301, 404, etc.). The visual representation of these valuesover time may enable the user to determine how the server's statusesrelate to each other, and possibly, detect correlations or anomalies.Thus, the capability to visualize a field's values over time may providethe user with a better understanding of the state of the particularserver.

In another example, the user might choose a field including valuesrepresenting the usage percentage of processor or central processingunit (CPU) of a server or other computing device within the enterprisenetwork environment. Such a CPU usage field may be a percentage (e.g.,56, 75, 90, 99, etc.). By visualizing values for the field over time inthe events that have that field, the user may easily determine how theCPU usage may change over time and, as before, detect any correlationsor anomalies in the field's values. Because the field in this exampleincludes numerical values, the relationship between the field's valuescan be meaningfully represented using two or more linear axes (e.g.,value and time). Examples of such a numerical field include, but are notlimited to, a CPU usage field, a network throughput field (e.g.,including values representing bytes transferred), or a network latencyfield (e.g., including response times for requests sent over thenetwork). However, it should be noted that a numerical field mayrepresent any type of data that can be represented by numeric values,including integers or real number values.

In the example shown in FIG. 5A, the data type of each value includedwithin value table 530 is a string. Thus, in contrast with the numericalfields having values of a numeric data type, as described in the priorexample above, it might not be possible to meaningfully represent therelationship between values of the specified field in the visualizationdisplayed within GUI 500 using two or more linear or numerical axes.Rather, at least one of the axes (i.e., the rows) may need to becategorical, with each row representing a particular string value forthe field, as shown in GUI 500. Examples of categorical fields that maybe extracted from indexed event data may include, but are not limitedto, server responses, universal resource identifiers (URIs), or thenames of an operating system or host associated with a particular datasource.

In some implementations, the particular data type of the specified fieldmay affect the particular visualization that may be used to representthe field's values over time. The values of a categorical field may berepresented using, for example, a heat map, as shown in FIG. 5A.However, the values of a numerical field may be visualized as, forexample, either a heat map or other type of data chart, e.g., a bubblechart as shown in each of FIGS. 10A and 10B, as will be described infurther detail below. It may be appreciated that a user may find onetype of visualization, e.g., a heat map, to be more advantageous orbetter suited for analyzing changes in categorical/string values overtime (with a different row for each unique string value for the chosenfield) relative to other types of data representations orvisualizations, e.g., a bubble chart for representing numerical valuesfor a field. In other implementations, the user may be provided anoption, e.g., via GUI 500, to switch between different types ofvisualizations, e.g., between a bubble chart and a heat map, for bothcategorical and/or numerical fields. Further, it should be noted thatthe present disclosure is not intended to be limited to heat maps andbubble charts and that any of various other types of visualizations orgraphical representations may be used to visualize changes in machinedata field values over time. Examples of such other types ofvisualizations include, but are not limited to, line graphs, bar graphs,pie charts, fractal maps, tree maps, waterfall charts, or stream-graphsincluding a stacked, linear, or curvilinear area graph displaced arounda central axis. Furthermore, such visualizations may be represented intwo-dimensional (2-D) and/or three-dimensional (3-D) forms, e.g., usingshapes visualized within 2-D and/or 3-D spaces, respectively.

In an example, the user may select a particular time slot or heat mapbucket in order to view additional information related to the selectedtime slot and the particular field value to which it corresponds. Theuser may be able to select the time slot by interacting directly with acorresponding box or region of the heat map displayed withinvisualization window 510, e.g., by selecting the region using a mouse,touchpad, keyboard, or any other user input device. The selected timeslot may be within a portion 515 of the displayed heat map, as shown inFIG. 5A.

FIG. 5B shows another view of portion 515 including an exemplaryinformation dialog window 545, e.g., in the form of a dropdown window orother type of user control element, which may be displayed withinvisualization window 510 of GUI 500 in conjunction with a square region540 of the heat map corresponding to the selected time slot. As shown inFIG. 5B, dialog window 545 may provide relevant information related tothe selected time slot corresponding to heat map square 540. Suchinformation may include, for example and without limitation, thecorresponding field value, a count value indicating the number of eventsassociated with the selected time slot, and a time period represented bythe time slot.

As noted previously, the user may be able to select multiple heat mapboxes, squares, or regions via GUI 500, e.g., by using a mouse or otheruser input device to “scan” or select and drag a virtual bounding boxacross or around one or more rows and/or columns of the heat mapdisplayed in visualization window 510. As the user selects additionalsquares representing different time slots within the heat map, theinformation displayed within dialog window 545 may update automaticallyand in real-time as each new heat map square is selected. In this way,the user may be able to select certain heat map squares corresponding toparticular values and time slots of interest, while filtering orexcluding other values and/or time slots from the visualization beingdisplayed within visualization window 510. In some embodiments, afterselecting a plurality of heat map squares within a virtual bounded box,a user may de-select desired squares so that information relating to thede-selected squares is excluded from the information displayed in dialogwindow 545.

In some implementations, the information displayed within dialog window545 may include, for example, hyperlinks that the user may select inorder to change the view, such as drilling down to a view of theunderlying events falling within the selected time slot. In the exampleshown in FIG. 5B, the value corresponding to the selected heat map box540 is displayed within window 545 as “NIEW/SPLUNK/SP-CAAAG57.” In anexemplary embodiment, this value may be displayed within window 545 as ahyperlink. For example, if the user in this example were to select thehyperlink, GUI 500 may display additional information about all of theevents corresponding to heat map box 540. Along those same lines, thecount (e.g., as reflected by “COUNT: 3690”) and the time range (e.g., asreflected by “3/7/2008, 12:45 AM-12:50 AM”) may each be generated as ahyperlink that a user may click or otherwise select to view the eventsassociated with the time slot for which the tooltip containing thehyperlink was generated.

As shown in FIG. 5C, GUI 500 may also provide the user with a set offormatting controls 550, e.g., within control window 525, which enablethe user to selectively customize the heat map visualization displayedwithin visualization window 510. In some implementations, formattingcontrols 550 may be displayed as selectable options within apop-up/dropdown menu, dialog box, or window of GUI 500. For example,such a menu or window may be accessible to the user by using a mouse orother type of user input device to select a corresponding button (e.g.,button labeled “Format Heat Map,” as shown in FIG. 5C) or other type ofcontrol displayed within GUI 500. Also, as shown in the example of FIG.5C, formatting controls 550 include a scope control 552, a scale control554, a color control 556, and a fit-to-screen control 558. However, itshould be noted that the formatting controls provided to the user arenot intended to be limited thereto. In an example, the particularformatting controls 550 provided to the user may be dependent upon, forexample, the particular events and user requirements for the types ofcontrol that the user may need for visualizing the data effectivelywithin the heat map. Further, the formatting controls 550 provided maybe dependent upon on the types of data underlying the heat mapvisualization. In an example, GUI 500 may be provided to the user via aclient application executable at a mobile computing device (e.g., asmartphone or tablet) having a touchscreen display. The user in thisexample may be able to use any of various single or multi-touch gesturesto manipulate different control elements, e.g., any of formattingcontrols 550, in order to control or customize any of various aspects ofthe visualization displayed within visualization window 510 and/or thevalues and statistics displayed within value table 530.

In the example shown in FIG. 5C, scope control 552 may enable the userto change the scope of the color gradient mapping for event countsvisualized in the heat map for each of the unique values of the fieldover time. Scope control 552 may provide various selectable options thatenable the user to control the scope of the mapping of the colorgradient to the range of event counts from a minimum to a maximum eventcount with respect to the rows and/or columns of the heat mapvisualization. As shown in FIG. 5C, such options may include, forexample and without limitation: an “ALL” option for selecting theminimum and maximum for a range of event counts to be mapped from countsof all heat map boxes in the entire visualization, i.e., across all rowsand columns of the heat map; a “ROW” option for selecting the minimumand maximum for a range of event counts on a row-by-row basis; and a“COLUMN” option for selecting the minimum and maximum for a range ofevent counts on a column-by-column basis.

Also, as shown in FIG. 5C, scale control 554 may be used to change thescale of the color gradient according to various scale optionsincluding, for example, a linear scale, a logarithmic scale, and a rank.The linear scale option may be selected to change the color gradientalong a linear scale based on the event count for one or more valuesacross a row or column. In this example, the gradient of the color orshade applied to rows or columns of the heat map may change uniformlyalong a linear scale from a minimum event count (or corresponding heatmap box) to a maximum event count (or corresponding heat map box). Itshould be appreciated that the scale of the color or shading gradientalso may be adjusted depending on the type of scope that was selected,as described above. For example, the minimum and maximum counts used fora graduated color or shading transition may change depending on whetherthe values are based on a single row, a single column, or all of therows and columns in the visualization. Thus, the selection of the linearscale option may cause the color or shade to be applied to regions ofthe heat map (e.g., heat map boxes along a row or column) in an even,graduated transition (e.g., from lighter to darker) in constantincrements from a minimum (e.g., a heat map box representing a minimumevent count) to a maximum (e.g., a heat map box representing a maximumevent count). In other words, each incremental increase in the count orchange in the number of events between successive heat map boxes in arow or column may result in a proportional increase in color or shading,regardless of whether the count or change is closer to a minimumcount/change or a maximum count/change. For example, the visualizationaccording to a linear scale may cause the density or intensity of thecolor or shade applied to a heat map box representing an event count of100 (or “a 100-count bucket”) to be twice as much as the density orintensity of the color or shade used for a 50-count bucket.

As another embodiment, a logarithmic scale option may be selected inorder to change the applied color gradient according to a logarithmicscale based on the event count for one or more values across a row orcolumn. In this example, the gradient of the color or shade applied torows or columns of the heat map may change gradually along a logarithmicscale from a minimum event count (or corresponding heat map box) to amaximum event count (or corresponding heat map box), in which the coloror shade is applied to successive heat map boxes from a minimum eventcount to a maximum event count in a graduated transition usingincreasingly greater increments of color or shade. In this embodiment,the change in color or shade depicted by such a logarithmic scale may beused to indicate a greater degree of difference between adjacent heatmap boxes representing relatively lower event counts that are closer tothe minimum within the range of event counts. For example, thevisualization according to a logarithmic scale may indicate a relativelygreater degree of difference between the colors or shades applied to a50-count bucket and a 60-count bucket than the difference indicatedbetween the shades of a 150-count bucket and a 160-count bucket. Anexample of such a logarithmic scale is shown by line graph 600A in FIG.6A.

The rank option may be used to assign a color gradient or level ofshading to each heat map square or time slot in a linear fashion basedon the rank of the particular event count. For example, for thefollowing set of event counts {1, 76, 77, 78}, each count or numericalvalue within the set may be ranked, e.g., from the lowest count to thehighest. Thus, the count “1” may be ranked first or lowest, “76” may besecond, “77” may be third, and “78” may be fourth or highest. The heatmap square corresponding to each of the event counts in this exampledata set may be colored according to its assigned rank. In an example,the color or shading of the heat map square having the lowest rankedcount (e.g., “1”) may be only 25% of the full color or shading, thesecond lowest (“76”) may have 50% color, the third lowest may have 75%color, and the highest ranked square (“78”) may have 100% of the fullcolor. However, it should be noted that any type of ranking scheme maybe used to rank the event counts. Thus, in the preceding example, theranking order may be reversed, and the count “78” may be ranked first orlowest, “77” may be second, “76” may be third, and “1” may be fourth orhighest ranked count. The rank option may be useful for differentiatingtightly packed data sets having counts that are relatively close invalue to one another.

While not shown in FIG. 5C, another scale control option that may beprovided to the user may be, for example, an exponential scale for thecolor gradient. Such an exponential scale option may be selected inorder to change the applied color gradient according to an exponentialscale based on the event count for one or more values across a row orcolumn. In this example, the gradient of the color or shade applied torows or columns of the heat map may change gradually along anexponential scale from a minimum event count (or corresponding heat mapbox) to a maximum event count (or corresponding heat map box), in whichthe color or shade is applied to successive heat map boxes from aminimum event count to a maximum event count in a graduated transitionusing increasingly lower increments of color or shade. In thisembodiment, the change in color or shade depicted by such an exponentialscale may be used to indicate a greater degree of difference betweenadjacent heat map boxes that represent relatively higher event countsand that are located closer to the maximum within the range of eventcounts. In this example, the difference indicated by the visualizationbetween the shade applied to a 150-count bucket and the shade applied toa 160-count bucket may be relatively greater than the differenceindicated between the respective shades applied to a 50-count bucket anda 60-count bucket. An example of such an exponential scale is shown byline graph 600B in FIG. 6B.

Referring back to formatting controls 550 of FIG. 5C, color control 556may be used to change the measure used for the color gradient. Colorcontrol 556 may provide a count option that causes the color gradientand color of each heat map square to be determined according to is eventcount, e.g., a count value representing the number of eventscorresponding to each heat map square. Color control 556 may alsoprovide a change option, which causes the color gradient and color ofeach heat map square to be determined based on a difference between itsevent count and the event count of an adjacently located heat mapsquare.

Screen control 558 may be used to enable or disable a “Fit to Screen”option that affects the display of values within value table 530 and theheat map within visualization window 510. For example, when this optionis disabled (e.g., set to “NO” via control 558), value table 530 isdisplayed such that each heat map row has a predetermined height andeach heat map column has a predetermined width, and the predeterminedheight and width may be set to ensure that, among other things, thevalues displayed within table 530 are legible for the user. An exampleof a heat map visualization with this option selected is illustrated bya GUI 700 in FIG. 7 . As this option may limit the number of values androws that can be displayed at the same time where fit-to-screen isflagged as “NO,” a scroll bar control 715 may be provided to enable theuser to scroll vertically in order to view any heat map rows that maynot be visible in the current view displayed via GUI 700. However, itshould be noted that screen control 558 is not necessarily limited tovertical scrolling and that when the fit-to-screen option is disabledusing control 558; as described above, additional controls (not shown)for enabling the user to scroll side-to-side may be provided as well,thereby allowing the user to modify the visible time range displayedwithin visualization window 510.

When the fit-to-screen option is enabled (e.g., set to “YES” via screencontrol 558), value table 530 may be hidden and all rows and columns ofthe heat map are displayed within the visible viewing area of the GUI,as shown by the exemplary GUI 800 of FIG. 8 . The height of the heat maprows and the width of the heat map columns may be adjusted to be surethe entire heat map fits on the viewable area of the screen. As all rowsand columns are displayed in this view, a scrollbar control, e.g., forvertical scrolling or side-to-side scrolling, may not be necessary.

In some implementations, additional controls may be provided forchanging the color gradient of the heat map across a spectrum from alight color or shade to a dark color or shade, according to thecorresponding event counts of the heat map squares or associated timeslots. In an example, a “High” option for such a control may cause thegradient to be adjusted from a light color or shade at low event countsto progressively darker color/shade for relatively higher event counts.Conversely, the control may include a “Low” option for adjusting thegradient from a dark color at low values to progressively lighter colorsor shades for relatively higher event counts.

While the exemplary GUIs described above with respect to FIGS. 5A-9Crelate to visualizing discrete values for a field over time, the GUIprovided to the user also may be used to visualize values for anumerical field over time by plotting them against a vertical numberaxis (as well as a horizontal time axis) rather than assigning eachunique value for the field of interest to an individual row, as will bedescribed below with respect to FIGS. 10A and 10B. It should be notedthat the techniques disclosed herein with respect to the examplesprovided below with respect to FIGS. 10A and 10B also may be applied tothe exemplary GUIs described above with respect to FIGS. 5A-9C. Further,while not shown in the exemplary GUIs described herein, it should benoted that any number of additional controls may be provided to the userfor controlling or customizing the visualization of a field's valuesprovided to the user. In an example, such additional controls mayinclude a control enabling the user to switch or adjust a “base” ordefault color used for the heat map visualization, e.g., from oneprimary color to another (e.g., blue to red) or across a palette ofdifferent colors that may be supported in a particular implementation.In a further example, the user may be able to specify different colorsfor visualizing different values (and rows). In some implementations,the user may be able to designate a particular color to be used for acategory of values, for example, as may be defined based on one or morepredetermined or user-specified thresholds for arranging field valuesaccording to different time periods (e.g., including one or more timeslots) within the time range and/or different ranges of event counts.

FIG. 10A illustrates an exemplary view 1000A of a GUI (hereinafterreferred to as “GUI 1000A”) for displaying a visualization of values fora specified numerical field over a selected time range. GUI 1000A mayinclude one or more of the features of the other GUIs described herein.As shown in FIG. 10A, GUI 1000A includes a visualization window 1040Aand a value table 1030A. Window 1040A may be used for displaying avisualization of the numerical field's values over the time range, or atleast a visible portion thereof. Also, as shown in FIG. 10A, a set ofzoom controls 1002 may be provided for enabling the user to increase ordecrease a level of zoom at which the visualization is displayed withinwindow 1040A. Furthermore, an event summary 1004 including statisticalinformation also may be provided in a portion of GUI 1000A.

Value table 1030A may include rows of the extracted values of thespecified field. The values in table 1030A may correspond to the sameevent data that is graphed using the bubble chart. However, table 1030Amay include any suitable values or statistics, as desired for aparticular implementation. In one example, value table 1030A may includethe date and the field value. In some implementations, an option to hidevalue table 1030A may be provided in order to increase the size of thevisualization as it is displayed in visualization window 1040A of GUI1000A. When a user selects a bubble corresponding to an event, the eventmay be identified in the visualization.

While the exemplary visualization shown in FIGS. 10A and 10B are bubblecharts, it should be noted that any type of visualization may be used tovisualize numeric values of a specified numerical field. In an example,each event may be represented by a bubble in the visualized bubblechart. As each bubble in the chart may be displayed using the same or adefault level of opacity, it may become difficult for the user todistinguish between overlapping points or bubbles that occur around thesame time within the chart and that represent values that are the sameor close to each other. This may be true even when, for example, thedisparity between different event counts is relatively high (e.g., 1 and200). Thus, in some embodiments, the overlapping bubbles occurringaround the same time, e.g., within a predetermined time period, may beshown using varying levels of opacity in order to make these overlappingpoints or bubbles easier to distinguish from one another within thechart. For example, an area having a relatively greater number ofoverlapping points or events, e.g., above a predetermined threshold, maybe displayed using a darker shade. Thus, in some embodiments, thedensity measure for different event counts may be visualized such thatwhen an opacity of overlapping points surpasses a predeterminedthreshold or maximum shade, the color or shading may be changed to adistinctly unique color or shade designated to represent relativelyhigher density event counts. For example, a different color and/orshading (e.g., a light red color instead of a darker red or blue) may beused to visualize relatively lower or higher density event counts. Insome embodiments, multiple overlapping points or bubbles, e.g., above apredetermined threshold, within an area of the bubble chart (e.g.,corresponding to the same predetermined time period) may be combinedinto a single bubble of a relatively larger size, thereby providing arelatively easier way to visually distinguish a plurality of eventcounts occurring around the same time.

In some implementations, the different colors or shading applied tovarious event count densities may be represented using, for example, agraphical overlay visualized with respect to the bubble chart (or one ormore bubbles thereof), as displayed within visualization windows 1040Aor 1040B of FIG. 10A or 10B, respectively. In some implementations, therelative size and/or shape of each bubble displayed within the bubblechart may be adjusted according to its event count density. For example,the size of a bubble having a relatively higher event count density, andthus, representing a relatively greater number of event counts, may berelatively larger than a bubble having a relatively lower event countdensity and representing a relatively smaller number of event counts. Ina further example, a predetermined minimum event count threshold, e.g.,as configured by the user, may be used to define the minimum number ofevent counts required for a bubble (or its corresponding event datapoint) to be visualized. While the examples provided above are describedin the context of different implementations for the bubble chartdisplayed in visualization windows 1040A or 1040B of FIG. 10A or 10B,respectively, it should be noted that the disclosed techniques may beapplied to other types of visualizations, including to the differentboxes or square regions of the heat map visualization, described abovewith respect to FIGS. 5A-9C.

FIG. 10B illustrates another view 1000B of the exemplary GUI of FIG. 10A(hereinafter referred to as “GUI 1000B”) for displaying a visualizationof the selected numerical field's values over the selected time range.Unlike GUI 1000A shown in FIG. 10A, the values displayed in GUI 1000B ofFIG. 10B may be separated according to values for another field, e.g.,as specified by a user via a “split-by” control 1020 of GUI 1000A (andGUI 1000B). By invoking control 1020, the user may be able to split orbreak up the bubble chart into separate categories based on anotherspecified field (e.g., a source type field). For example, splitting CPUusage by source type may cause the color of the bubbles in the chart tochange based on the particular source type with which each bubble andcorresponding event is associated.

In some implementations, the user's selection of a field value withinthe table or the visualization may cause a new GUI window to appear,which displays information related to only the selected field value.FIGS. 11A-11D illustrate an exemplary GUI that may be displayed for thispurpose. For example, if the field was URI and the user clicked thevalue “/download,” a GUI 1100A may be displayed, in which only datarelated to the “/download” value is visualized, such as a count ofevents at different times that have the selected value for the field.

Further, the user may be presented with a set of controls including, forexample and without limitation, controls 1110, 1112, 1114, and 1116, asshown in FIGS. 11A-11D, respectively, for invoking different dataanalysis functions with respect to the selected field value. Adistribution control 1110 may be used to plot the number of eventshaving a given value for a field over a selected time range, as shown inFIG. 11A. The visualization shown in FIG. 11B may be displayed byselecting a prediction control 1112 for predicting what the plot of thenumber of events having the specified value for the field would looklike for future time periods based on extrapolating from the actualnumber of events for time periods for which this is known. In FIG. 11C,a baseline control 1114 may be selected for visualizing a comparisonplot of the actual number of events having a specified value for theselected field against what would have been expected by extrapolatingout what this plot would have been expected to look like from earliertime periods. In FIG. 11D, an outlier control 1116 may be used to invokedata analysis features for finding any potential outliers in the dataover time. Also, as shown in FIG. 11D, a split-by control 1118 may alsobe provided, which may allow the user to split or categorize portions ofthe value's data according to another specified field, much like thesplit-by control of GUI 1000, as shown in FIGS. 10A and 10B anddescribed above.

Further, any number of additional controls may be provided to the uservia each of GUIs 1100A, 1100B, 1100C, and 1100D of FIGS. 11A, 11B, 11C,and 11D, respectively. Such additional controls may include, for exampleand without limitation, a control enabling the user to invoke a sortfunction. Similar to the sort function described above with respect toFIGS. 9A and 9B, the sort function in this example may allow the user tosort the event data points plotted along the line graph in a desiredorder, e.g., in either an ascending or descending order based on thecorresponding event counts. The sortable event counts in this examplemay correspond to, for example, the numbers shown along the y-axis ofthe visualized charts and line graphs shown in each of FIGS. 11A-11D.Thus, for example, the event counts displayed along the y-axis may besorted automatically based on input received from the user, and theplotted data and corresponding line graph may also be updatedaccordingly.

The examples described above with respect to FIGS. 1-11D, or any part(s)or function(s) thereof, may be implemented using hardware, softwaremodules, firmware, tangible computer readable media having instructionsstored thereon, or a combination thereof and may be implemented in oneor more computer systems or other processing systems.

FIG. 12 illustrates a high-level functional block diagram of anexemplary computer system 1200, in which embodiments of the presentdisclosure, or portions thereof, may be implemented, e.g., ascomputer-readable code. For example, visualization system 150 of FIG. 1and data intake and query system of FIGS. 1 and 2 can be implemented incomputer system 1200 using hardware, software, firmware, tangiblecomputer readable media having instructions stored thereon, or acombination thereof and may be implemented in one or more computersystems or other processing systems. Hardware, software, or anycombination of such may embody any of the modules and components inFIGS. 1-2 .

If programmable logic is used, such logic may execute on a commerciallyavailable processing platform or a special purpose device. One ofordinary skill in the art may appreciate that embodiments of thedisclosed subject matter can be practiced with various computer systemconfigurations, including multi-core multiprocessor systems,minicomputers, mainframe computers, computer linked or clustered withdistributed functions, as well as pervasive or miniature computers thatmay be embedded into virtually any device.

For instance, at least one processor device and a memory may be used toimplement the above described embodiments. A processor device may be asingle processor, a plurality of processors, or combinations thereof.Processor devices may have one or more processor “cores.”

Various embodiments of the present disclosure, as described above in theexamples of FIGS. 1-11D may be implemented using computer system 1200.After reading this description, it will become apparent to a personskilled in the relevant art how to implement embodiments of the presentdisclosure using other computer systems and/or computer architectures.Although operations may be described as a sequential process, some ofthe operations may in fact be performed in parallel, concurrently,and/or in a distributed environment, and with program code storedlocally or remotely for access by single or multiprocessor machines. Inaddition, in some embodiments the order of operations may be rearrangedwithout departing from the spirit of the disclosed subject matter.

As shown in FIG. 12 , computer system 1200 includes a central processingunit (CPU) 1220. CPU 1220 may be any type of processor device including,for example, any type of special purpose or a general purposemicroprocessor device. As will be appreciated by persons skilled in therelevant art, CPU 1220 also may be a single processor in amulti-core/multiprocessor system, such system operating alone, or in acluster of computing devices operating in a cluster or server farm. CPU1220 is connected to a data communication infrastructure 1210, forexample, a bus, message queue, network, or multi-core message-passingscheme.

Computer system 1200 also includes a main memory 1240, for example,random access memory (RAM), and may also include a secondary memory1230. Secondary memory 1230, e.g., a read-only memory (ROM), may be, forexample, a hard disk drive or a removable storage drive. Such aremovable storage drive may comprise, for example, a floppy disk drive,a magnetic tape drive, an optical disk drive, a flash memory, or thelike. The removable storage drive in this example reads from and/orwrites to a removable storage unit in a well-known manner. The removablestorage unit may comprise a floppy disk, magnetic tape, optical disk,etc. which is read by and written to by the removable storage drive. Aswill be appreciated by persons skilled in the relevant art, such aremovable storage unit generally includes a computer usable storagemedium having stored therein computer software and/or data.

In alternative implementations, secondary memory 1230 may include othersimilar means for allowing computer programs or other instructions to beloaded into computer system 1200. Examples of such means may include aprogram cartridge and cartridge interface (such as that found in videogame devices), a removable memory chip (such as an EPROM, or PROM) andassociated socket, and other removable storage units and interfaces,which allow software and data to be transferred from a removable storageunit to computer system 1200.

Computer system 1200 may also include a communications interface (“COM”)1260. Communications interface 1260 allows software and data to betransferred between computer system 1200 and external devices.Communications interface 1260 may include a modem, a network interface(such as an Ethernet card), a communications port, a PCMCIA slot andcard, or the like. Software and data transferred via communicationsinterface 1260 may be in the form of signals, which may be electronic,electromagnetic, optical, or other signals capable of being received bycommunications interface 1260. These signals may be provided tocommunications interface 1260 via a communications path of computersystem 1200, which may be implemented using, for example, wire or cable,fiber optics, a phone line, a cellular phone link, an RF link or othercommunications channels.

The hardware elements, operating systems and programming languages ofsuch equipment are conventional in nature, and it is presumed that thoseskilled in the art are adequately familiar therewith. Computer system1200 also may include input and output ports 1250 to connect with inputand output devices such as keyboards, mice, touchscreens, monitors,displays, etc. Of course, the various server functions may beimplemented in a distributed fashion on a number of similar platforms,to distribute the processing load. Alternatively, the servers may beimplemented by appropriate programming of one computer hardwareplatform.

Program aspects of the technology may be thought of as “products” or“articles of manufacture” typically in the form of executable codeand/or associated data that is carried on or embodied in a type ofmachine readable medium. “Storage” type media include any or all of thetangible memory of the computers, processors or the like, or associatedmodules thereof, such as various semiconductor memories, tape drives,disk drives and the like, which may provide non-transitory storage atany time for the software programming. All or portions of the softwaremay at times be communicated through the Internet or various othertelecommunication networks. Such communications, for example, may enableloading of the software from one computer or processor into another, forexample, from a management server or host computer of the mobilecommunication network into the computer platform of a server and/or froma server to the mobile device. Thus, another type of media that may bearthe software elements includes optical, electrical and electromagneticwaves, such as used across physical interfaces between local devices,through wired and optical landline networks and over various air-links.The physical elements that carry such waves, such as wired or wirelesslinks, optical links or the like, also may be considered as mediabearing the software. As used herein, unless restricted tonon-transitory, tangible “storage” media, terms such as computer ormachine “readable medium” refer to any medium that participates inproviding instructions to a processor for execution.

While principles of the present disclosure are described herein withreference to illustrative embodiments for particular applications, itshould be understood that the disclosure is not limited thereto. Thosehaving ordinary skill in the art and access to the teachings providedherein will recognize additional modifications, applications,embodiments, and substitution of equivalents all fall within the scopeof the embodiments described herein. Accordingly, this disclosure is notto be considered as limited by the foregoing description.

The breadth and scope of the present disclosure should not be limited byany of the above-described exemplary embodiments, but should be definedonly in accordance with the following claims and their equivalents.

Having thus described the invention, what is claimed is:
 1. Acomputer-implemented method comprising: causing display of a graphicaluser interface, the graphical user interface including a first elementenabling input to specify a time range and a second element enablinginput to specify a field; upon receiving first input specifying the timerange and second input specifying the field, identifying a plurality ofevents, wherein each event of the plurality events is associated withrespective a timestamp that is within the time range; determining, usingvalues for the field included in the plurality of events, unique values;causing display, in the graphical user interface, of a visualization ofthe unique values, the visualization including a first set of rows foreach unique value, wherein each row of the first set of rows is dividedinto regions each representing a timeslot within the time range, whereineach region in a particular row of the first set of rows graphicallyillustrates a count of events from the plurality of events that bothhave an associated timestamp that is within a respective timeslotrepresented by the region and include a particular unique valueassociated with the particular row; causing display, in the graphicaluser interface, of a table including a second set of rows that eachcorrespond to the first set of rows, wherein each row of the second setof rows includes a set of statistics determined from events from theplurality of events, and wherein the table and the visualization areconcurrently displayed; and based on a user input of hovering, scanning,or dragging on a specific area of the visualization, causingpresentation of a dialog window that includes a hyperlink that, whenselected, causes presentation of additional information related to thespecific area of visualization.
 2. The method of claim 1, wherein thetable includes a set of columns, and wherein each column of the set ofcolumns corresponds with a particular type of statistic.
 3. The methodof claim 1, wherein based on a user selection of a set of regionspresented in the visualization, causing presentation of a dialog windowthat provides information related to the set of regions.
 4. The methodof claim 1, wherein the regions are vertically aligned by acorresponding timeslot.
 5. The method of claim 1, wherein each event ofthe plurality of events includes a portion of raw data from which theevent was derived, the raw data related to security or performance ofone or more information technology systems.
 6. The method of claim 1further comprising causing display, in the graphical user interface, ofa set of formatting controls that enable user selection of at least oneformat to apply to the visualization, wherein the at least one formatcomprises a color format for indicating colors applied to the regions inthe visualization.
 7. The method of claim 1 further comprising causingdisplay, in the graphical user interface, of a set of formattingcontrols that enable user selection of at least one format to apply tothe visualization, wherein the set of formatting controls displayed areselected based on a type of data associated with the visualization. 8.The method of claim 1 further comprising causing display, in thegraphical user interface, of a set of formatting controls that enableuser selection of at least one format to apply to the visualization,wherein at least one formatting control comprises a scope controlenabling control of a scope of a color gradient mapping for theplurality of events indicated in the visualization.
 9. The method ofclaim 1 further comprising causing display, in the graphical userinterface, of a scale control enabling user selection of a colorgradient based on a linear scale, a logarithmic scale, a rank, or anexponential scale.
 10. The method of claim 1, further comprising sortingthe first set of rows, wherein each row is sorted in ascending ordescending order based on a number of events corresponding to anintersection of that row with a selected time period.
 11. The method ofclaim 1, further comprising reordering the first set of rows based on adrag and drop gesture received from a user input device.
 12. The methodof claim 1, wherein each region in the particular row of the first setof rows graphically illustrates the count of events via a color or acolor gradient.
 13. A non-transitory computer readable storage medium,storing instructions that, when executed by one or more processors,cause performance of: causing display of a graphical user interface, thegraphical user interface including a first element enabling input tospecify a time range and a second element enabling input to specify afield; upon receiving first input specifying the time range and secondinput specifying the field, identifying a plurality of events, whereineach event of the plurality events is associated with respective atimestamp that is within the time range; determining, using values forthe field included in the plurality of events, unique values; causingdisplay, in the graphical user interface, of a visualization of theunique values, the visualization including a first set of rows for eachunique value, wherein each row of the first set of rows is divided intoregions each representing a timeslot within the time range, wherein eachregion in a particular row of the first set of rows graphicallyillustrates a count of events from the plurality of events that bothhave an associated timestamp that is within a respective timeslotrepresented by the region and include a particular unique valueassociated with the particular row; causing display, in the graphicaluser interface, of a table including a second set of rows that eachcorrespond to the first set of rows, wherein each row of the second setof rows includes a set of statistics determined from events from theplurality of events, and wherein the table and the visualization areconcurrently displayed; and based on a user input of hovering, scanning,or dragging on a specific area of the visualization, causingpresentation of a dialog window that includes a hyperlink that, whenselected, causes presentation of additional information related to thespecific area of visualization.
 14. The non-transitory computer readablestorage medium of claim 13, further comprising causing display, in thegraphical user interface, of a set of formatting controls that enableuser selection of at least one format to apply to the visualization,wherein the at least one format comprises a color format for indicatingcolors applied to the regions in the visualization.
 15. Thenon-transitory computer readable storage medium of claim 13, furthercomprising causing display, in the graphical user interface, of a scalecontrol enabling user selection of a color gradient based on a linearscale, a logarithmic scale, a rank, or an exponential scale.
 16. Thenon-transitory computer readable storage medium of claim 13, furthercomprising sorting the first set of rows, wherein each row is sorted inascending or descending order based on a number of events correspondingto an intersection of that row with a selected time period.
 17. Thenon-transitory computer readable storage medium of claim 13, whereineach region in the particular row of the first set of rows graphicallyillustrates the count of events via a color or a color gradient.
 18. Asystem comprising: a memory having processor-readable instructionsstored therein; and a processor configured to access the memory andexecute the processor-readable instructions, which when executed by theprocessor, configures the processor to perform a plurality of functions,including functions to: cause display of a graphical user interface, thegraphical user interface including a first element enabling input tospecify a time range and a second element enabling input to specify afield; upon receiving first input specifying the time range and secondinput specifying the field, identify a plurality of events, wherein eachevent of the plurality events is associated with respective a timestampthat is within the time range; determine, using values for the fieldincluded in the plurality of events, unique values; cause display, inthe graphical user interface, of a visualization of the unique values,the visualization including a first set of rows for each unique value,wherein each row of the first set of rows is divided into regions eachrepresenting a timeslot within the time range, wherein each region in aparticular row of the first set of rows graphically illustrates a countof events from the plurality of events that both have an associatedtimestamp that is within a respective timeslot represented by the regionand include a particular unique value associated with the particularrow; cause display, in the graphical user interface, of a tableincluding a second set of rows that each correspond to the first set ofrows, wherein each row of the second set of rows includes a set ofstatistics determined from events from the plurality of events, andwherein the table and the visualization are concurrently displayed; andbased on a user input of hovering, scanning, or dragging on a specificarea of the visualization, cause presentation of a dialog window thatincludes a hyperlink that, when selected, causes presentation ofadditional information related to the specific area of visualization.